1 /*
2 * MIT License
3 *
4 * Copyright (c) 2010-2022 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in all
14 * copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24 package waffle.util;
25
26 import java.util.ArrayList;
27 import java.util.Arrays;
28 import java.util.List;
29
30 import javax.servlet.http.HttpServletRequest;
31
32 import org.slf4j.Logger;
33 import org.slf4j.LoggerFactory;
34
35 /**
36 * The Class CorsPrefFlightCheck.
37 */
38 public final class CorsPreFlightCheck {
39
40 /** The logger. */
41 private static final Logger LOGGER = LoggerFactory.getLogger(CorsPreFlightCheck.class);
42
43 /** The Constant preflightAttributeValue. */
44 private static final String PRE_FLIGHT_ATTRIBUTE_VALUE = "PRE_FLIGHT";
45
46 /** The Constant CORS_PRE_FLIGHT_HEADERS. */
47 private static final List<String> CORS_PRE_FLIGHT_HEADERS = new ArrayList<>(
48 Arrays.asList("Access-Control-Request-Method", "Access-Control-Request-Headers", "Origin"));
49
50 /**
51 * Prevent Instantiation.
52 */
53 private CorsPreFlightCheck() {
54 // Do Nothing
55 }
56
57 /**
58 * Checks if is preflight.
59 *
60 * @param request
61 * the request
62 *
63 * @return true, if is preflight
64 */
65 public static boolean isPreflight(final HttpServletRequest request) {
66
67 final String corsRequestType = (String) request.getAttribute("cors.request.type");
68
69 CorsPreFlightCheck.LOGGER
70 .debug("[waffle.util.CorsPreflightCheck] Request is CORS preflight; continue filter chain");
71
72 // Method MUST be an OPTIONS Method to be a preflight Request
73 final String method = request.getMethod();
74 if (method == null || !method.equalsIgnoreCase("OPTIONS")) {
75 return false;
76 }
77
78 CorsPreFlightCheck.LOGGER.debug("[waffle.util.CorsPreflightCheck] check for PRE_FLIGHT Attribute");
79
80 /**
81 * Support Apache CorsFilter which would already add the Attribute cors.request.type with a value "PRE_FLIGHT"
82 **/
83 if (corsRequestType != null
84 && corsRequestType.equalsIgnoreCase(CorsPreFlightCheck.PRE_FLIGHT_ATTRIBUTE_VALUE)) {
85 return true;
86 } else {
87 /*
88 * it is OPTIONS and it is not an CorsFilter PRE_FLIGHT request make sure that the request contains all of
89 * the CORS preflight Headers
90 */
91 CorsPreFlightCheck.LOGGER.debug("[waffle.util.CorsPreflightCheck] check headers");
92
93 for (final String header : CorsPreFlightCheck.CORS_PRE_FLIGHT_HEADERS) {
94 final String headerValue = request.getHeader(header);
95 CorsPreFlightCheck.LOGGER.debug("[waffle.util.CorsPreflightCheck] {}", header);
96
97 if (headerValue == null) {
98 /* one of the CORS pre-flight headers is missing */
99 return false;
100 }
101 }
102 CorsPreFlightCheck.LOGGER.debug("[waffle.util.CorsPreflightCheck] is preflight");
103
104 return true;
105 }
106 }
107 }