Capitalize CORS header names

neo4j · Feb 19, 2018 · 2772505 · 2772505
1 parent a3d0cb1
commit 2772505
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 7 deletions.
diff --git a/community/server/src/main/java/org/neo4j/server/rest/web/CorsFilter.java b/community/server/src/main/java/org/neo4j/server/rest/web/CorsFilter.java
@@ -37,11 +37,11 @@
  */
 public class CorsFilter implements Filter
 {
-    private static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
-    private static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
-    private static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
-    private static final String ACCESS_CONTROL_REQUEST_METHOD = "access-control-request-method";
-    private static final String ACCESS_CONTROL_REQUEST_HEADERS = "access-control-request-headers";
+    public static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
+    public static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
+    public static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
+    public static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
+    public static final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
 
     @Override
     public void init( FilterConfig filterConfig ) throws ServletException

diff --git a/community/server/src/test/java/org/neo4j/server/rest/security/AuthorizationCorsIT.java b/community/server/src/test/java/org/neo4j/server/rest/security/AuthorizationCorsIT.java
@@ -31,6 +31,11 @@
 import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
+import static org.neo4j.server.rest.web.CorsFilter.ACCESS_CONTROL_ALLOW_HEADERS;
+import static org.neo4j.server.rest.web.CorsFilter.ACCESS_CONTROL_ALLOW_METHODS;
+import static org.neo4j.server.rest.web.CorsFilter.ACCESS_CONTROL_ALLOW_ORIGIN;
+import static org.neo4j.server.rest.web.CorsFilter.ACCESS_CONTROL_REQUEST_HEADERS;
+import static org.neo4j.server.rest.web.CorsFilter.ACCESS_CONTROL_REQUEST_METHOD;
 import static org.neo4j.test.server.HTTP.RawPayload.quotedJson;
 
 public class AuthorizationCorsIT extends CommunityServerTestBase
@@ -86,16 +91,49 @@ public void shouldAddCorsHeaderWhenAuthEnabledAndIncorrectPassword() throws Exce
         assertThat( response.content().toString(), containsString( "Neo.ClientError.Security.Unauthorized" ) );
     }
 
+    @Test
+    public void shouldAddCorsMethodsHeader() throws Exception
+    {
+        startServer( false );
+
+        HTTP.Builder requestBuilder = requestWithHeaders( "authDisabled", "authDisabled" )
+                .withHeaders( ACCESS_CONTROL_REQUEST_METHOD, "POST, GET, DELETE" );
+        HTTP.Response response = runQuery( requestBuilder );
+
+        assertEquals( OK.getStatusCode(), response.status() );
+        assertCorsHeaderPresent( response );
+        assertEquals( "POST, GET, DELETE", response.header( ACCESS_CONTROL_ALLOW_METHODS ) );
+    }
+
+    @Test
+    public void shouldAddCorsRequestHeaders() throws Exception
+    {
+        startServer( false );
+
+        HTTP.Builder requestBuilder = requestWithHeaders( "authDisabled", "authDisabled" )
+                .withHeaders( ACCESS_CONTROL_REQUEST_HEADERS, "Accept, X-Not-Accept" );
+        HTTP.Response response = runQuery( requestBuilder );
+
+        assertEquals( OK.getStatusCode(), response.status() );
+        assertCorsHeaderPresent( response );
+        assertEquals( "Accept, X-Not-Accept", response.header( ACCESS_CONTROL_ALLOW_HEADERS ) );
+    }
+
     private HTTP.Response changePassword( String username, String oldPassword, String newPassword )
     {
         HTTP.RawPayload passwordChange = quotedJson( "{'password': '" + newPassword + "'}" );
         return requestWithHeaders( username, oldPassword ).POST( passwordURL( username ), passwordChange );
     }
 
     private HTTP.Response runQuery( String username, String password )
+    {
+        return runQuery( requestWithHeaders( username, password ) );
+    }
+
+    private HTTP.Response runQuery( HTTP.Builder requestBuilder )
     {
         HTTP.RawPayload statements = quotedJson( "{'statements': [{'statement': 'RETURN 42'}]}" );
-        return requestWithHeaders( username, password ).POST( txCommitURL(), statements );
+        return requestBuilder.POST( txCommitURL(), statements );
     }
 
     private HTTP.Builder requestWithHeaders( String username, String password )
@@ -109,6 +147,6 @@ HttpHeaders.AUTHORIZATION, basicAuthHeader( username, password )
 
     private static void assertCorsHeaderPresent( HTTP.Response response )
     {
-        assertEquals( "*", response.header( "Access-Control-Allow-Origin" ) );
+        assertEquals( "*", response.header( ACCESS_CONTROL_ALLOW_ORIGIN ) );
     }
 }